Updating Applications On OpenBSD Hosts

Periodically OpenBSD releases new patches to address application reliability and security issues. These patches are made available as source diff files on the OpenBSDerrata website. This article will describe how I went about addressing a bind errata ( errata number 021) for an OpenBSD 3.5 server.

Patching applications

To apply a patch to a freshly installed OpenBSD server, you first need to download the system sources ( src.tar.gz and sys.tar.gz) for the OpenBSD release you are using. You can find the sources for each release on one of the OpenBSD mirrors:

$ ftp osmirrors.cerias.purdue.edu

ftp> cd pub/OpenBSD/3.5

ftp> ls -la
227 Entering Passive Mode (128,10,252,13,143,64)
150 Data connection accepted from 68.211.198.203:31212; transfer starting.
-r--r--r--   1 ftpuser  ftpusers     21926 Apr 30  2004 ANNOUNCEMENT
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  7  2004 Changelogs
-r--r--r--   1 ftpuser  ftpusers      3036 Apr  6  2004 HARDWARE
-r--r--r--   1 ftpuser  ftpusers     71073 Apr  6  2004 PACKAGES
-r--r--r--   1 ftpuser  ftpusers      2520 Apr  6  2004 PORTS
-r--r--r--   1 ftpuser  ftpusers      8001 Apr  6  2004 README
-r--r--r--   1 ftpuser  ftpusers      1474 Apr  6  2004 SIZES
-r--r--r--   1 ftpuser  ftpusers  63290819 Apr  6  2004 XF4.tar.gz
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 alpha
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 amd64
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 cats
-r--r--r--   1 ftpuser  ftpusers      6768 Jul  6 04:03 ftplist
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 hp300
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr 12  2004 hppa
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr 14  2004 i386
drwxr-xr-x   3 ftpuser  ftpusers      4096 Apr  6  2004 mac68k
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 macppc
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr 12  2004 mvme68k
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 mvme88k
drwxr-xr-x  13 ftpuser  ftpusers      4096 Apr 12  2004 packages
-r--r--r--   1 ftpuser  ftpusers   7062307 Apr  6  2004 ports.tar.gz
-r--r--r--   1 ftpuser  ftpusers     76477 Apr  6  2004 root.mail
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 sparc
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 sparc64
-r--r--r--   1 ftpuser  ftpusers  99087733 Apr  6  2004 src.tar.gz
-r--r--r--   1 ftpuser  ftpusers  15205979 May  7  2004 sys.tar.gz
drwxr-xr-x   4 ftpuser  ftpusers      4096 Apr  1  2004 tools
drwxr-xr-x   2 ftpuser  ftpusers      4096 Apr  6  2004 vax
226 Listing completed.

ftp> pwd
257 "/pub/OpenBSD/3.5" is cwd.

Once you are logged into the anonymous FTP server, you need to retrive the src.tar.gz and sys.tar.gz archives. Once the files are retrieved, the tar utility can be used to extract the archives into the /usr/src directory:

$ cd /usr/src

$ tar xfvz sys.tar.gz

$ tar xfvz src.tar.gz

Once the source has been extracted, the patch to address the errata can be retrieved from from the OpenBSD website, and applied with the patch utility:

$ cd /usr/src/

$ patch -p0 < 021_bind.patch

After the patch is applied, the build steps that are provided in the patch header need to be followed. Here are the steps that are provided for building bind once the bind errata patch has been applied:

$ head -5 021_bind.patch

|And then rebuild and install bind:
|       cd usr.sbin/bind
|       make -f Makefile.bsd-wrapper obj
|       make -f Makefile.bsd-wrapper
|       make -f Makefile.bsd-wrapper install

         ........

Conclusion

The patch process is super straight forward, and is thoroughly documented in each patch header. The OpenBSD developers take quality and security very seriously, so the number of patches released for a given version of OpenBSD will be far fewer than most other Operating Systems.